VwGH - Ro 2020/04/0031-9
Austrian court rules credit agencies must erase insolvency data post-registry deletion.
Summary
The Austrian Supreme Administrative Court ruled that credit agencies must erase personal data obtained from public insolvency registers once that data is removed from the register. This decision aligns with recent CJEU rulings and emphasizes that continued processing, even for creditworthiness assessment, is unlawful if the data is no longer publicly available. The court also affirmed the data subject's right to erasure under GDPR Article 17.
Full text
Help VwGH - Ro 2020/04/0031-9: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 14:49, 27 March 2024 view sourceIm (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators321 editsm← Older edit Latest revision as of 14:18, 9 July 2026 view source Ds (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators158 editsm Tag: Visual edit (One intermediate revision by the same user not shown)Line 35: Line 35: |EU_Law_Name_1=Article 7 CFR|EU_Law_Name_1=Article 7 CFR |EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A12012P%252FTXT|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT |EU_Law_Name_2=Article 8 CFR|EU_Law_Name_2=Article 8 CFR |EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%253A12012P%252FTXT|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT |EU_Law_Name_3=|EU_Law_Name_3= |EU_Law_Link_3=|EU_Law_Link_3= Line 79: Line 79: The controller, a credit ranking agency, continued to process and store personal data of the data subject that related to his debt settlement procedure that the controller obtained from the public insolvency register. The purpose of the procesing was to assess the creditworthiness of the data subject and his company. The data subject was the company's sole shareholder.The controller, a credit ranking agency, continued to process and store personal data of the data subject that related to his debt settlement procedure that the controller obtained from the public insolvency register. The purpose of the procesing was to assess the creditworthiness of the data subject and his company. The data subject was the company's sole shareholder. The data subject requested the erasure of his personal data on 4 May 2018, after fulfilling his debt payment plan. The controller did not reply. On 24 October 2018, the data subject lodged a complaint at the Austrian DPA against the controller for the infringement of the right to erasure under [[Article 17 GDPR|Article 17 GDPR]]. The data subject requested the erasure of his personal data on 4 May 2018, after fulfilling his debt payment plan. The controller did not reply. On 24 October 2018, the data subject lodged a complaint at the Austrian DPA against the controller for the infringement of the right to erasure under [[Article 17 GDPR]]. The controller informed the DPA by letter the same day that it would not comply with this request.The controller informed the DPA by letter the same day that it would not comply with this request. Line 98: Line 98: Previous Austrian jurisprudence stated that credit agencies could collect and process personal data collected through the public insolvency register up to 5 years after deletion of the data concerned in the registry. However, the recent [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA CJEU C-26/22 and C-64/22 – Schufa] case stated that the lawfulness of the processing by the controller must be assessed solely in light of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. In particular, the CJEU also ruled that credit agencies cannot process data they collected from the insolvency register once that data has been deleted from the registry itself (see [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CJ0026 CJEU C-26/22 and C-64/22 – Schufa] para 99). The CJEU noted that in Germany the data in the insolvency register is only kept for up to 6 months and therefore, after the expiry of a six-month period, the rights and interests of the data subject take precedence over those of the public to have access to that information.Previous Austrian jurisprudence stated that credit agencies could collect and process personal data collected through the public insolvency register up to 5 years after deletion of the data concerned in the registry. However, the recent [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA CJEU C-26/22 and C-64/22 – Schufa] case stated that the lawfulness of the processing by the controller must be assessed solely in light of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]]. In particular, the CJEU also ruled that credit agencies cannot process data they collected from the insolvency register once that data has been deleted from the registry itself (see [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62022CJ0026 CJEU C-26/22 and C-64/22 – Schufa] para 99). The CJEU noted that in Germany the data in the insolvency register is only kept for up to 6 months and therefore, after the expiry of a six-month period, the rights and interests of the data subject take precedence over those of the public to have access to that information. In light of the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA CJEU C-26/22 and C-64/22 – Schufa] case, the Supreme Administrative Court found that the processing of this data, including the storage, analysis and disclosure of this data to a third party by the controller, constitutes a serious interference with the fundamental rights of the data subject under [http://fra.europa.eu/en/eu-charter/article/7-respect-private-and-family-life Article 7 CFR] and [http://fra.europa.eu/en/eu-charter/article/8-protection-personal-data Article 8 CFR]. The processing of such data can significantly harm the interests of the data subject because the disclosure is likely to make it considerably more difficult for him to exercise his freedoms. The Court stated that the objective of a payment plan is the economic recovery of the data subject. The request to erasure of personal data due to fulfilling the payment plan is intended to prevent the data subject from being impaired in business dealings by the public announcement of earlier insolvency proceedings. Therefore, the data subject’s economic recovery is jeopardised if a credit agency, thus the controller in this case, stores data on the data subject’s insolvency proceedings in order to assess the data subject’s creditworthiness, as this data is always used as a negative factor in the assessment. In light of this, the legitimate interests of the controller to process data regarding the insolvency proceedings of the data subject can no longer justify the processing of these personal data after this data in the insolvency register is made unavailable for the public . In light of the [https://gdprhub.eu/index.php?title=CJEU_-_Joined_Cases_C%E2%80%9126/22_and_C%E2%80%9164/22_-_SCHUFA CJEU C-26/22 and C-64/22 – Schufa] case, the Supreme Administrative Court found that the processing of this data, including the storage, analysis and disclosure of this data to a third party by the controller, constitutes a serious interference with the fundamental rights of the data subject under [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT Article 7 CFR] and [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12012P/TXT Article 8 CFR]. The processing of such data can significantly harm the interests of the data subject because the disclosure is likely to make it considerably more difficult for him to exercise his freedoms. The Court stated that the objective of a payment plan is the economic recovery of the data subject. The request to erasure of personal data due to fulfilling the payment plan is intended to prevent the data subject from being impaired in business dealings by the public announcement of earlier insolvency proceedings. Therefore, the data subject’s economic recovery is jeopardised if a credit agency, thus the controller in this case, stores data on the data subject’s insolvency proceedings in order to assess the data subject’s creditworthiness, as this data is always used as a negative factor in the assessment. In light of this, the